The ThreatOps solution is designed to accelerate incident response by automatically taking disparate attack information to correlate and display it within one dashboard where attacks can be scored and playbooks created. The playbooks can then be used to create repeatable processes, simplifying incident response. Through 3rd party integration with prevention systems (Firewall, NAC, End-point, SIEM), attacks will automatically be blocked and quarantined, expediting response actions and preventing the attack from continuing to spread through the network. Additionally, the solution empowers customers to threat hunt for forensic artifacts in other parts of the network and confirm that they have eradicated the attack.
Investigation Automation: The ThreatOps Platform works hand-in-hand with the BOTsink engagement server for in-network threat detection, attack analysis, and acceleration of incident response. The ThreatOp Platform, through automation, ingests information from threats detected by the BOTsink engagement server, SIEMs, and other devices, correlating attack data, logs, end-point memory forensics, and use of deception credentials by tracking failed log-ins. Additionally, through the Attivo solution or through integrations with end-point vendors, like ForeScout and McAfee (ePO), threat hunting can be activated to find the root cause – of the infection. This approach provides a more complete picture of the attack and ultimately reduces false positives and investigation time, thereby simplifying overall incident response.
Adaptive Deception: The ThreatOps Platform uses advanced analytics to profile the attackers and dynamically deploy deception of indistinguishable quality and redirect attackers to decoys where specific activities can be tracked to the level of details needed by other security solutions in the network for detection and remediation. This severely impacts attackers by making them spin meaningless cycles in a deception maze.
Collaboration: The ThreatOps Platform is designed to provide a single source for the security team to review correlated attack information and to collaborate on incident response. Collaboration allows teams to see real threats they might have missed on their own from a partial view of threat activity throughout the network. Additionally, it creates a consolidated environment for InfoSec teams to post IR activities and comments so that data can be easily shared and not lost in transition or over time.
Scoring and Playbook Automation: Once the attack has been analyzed, the threat is scored and playbooks created based on the security policies of an organization. This helps customers prioritize threat response and creates playbooks for repeatable processes when the same attack is seen in the future. Automated playbooks not only reduce incident response time, but also the skill set required to respond to future attacks.
Automated Incident Response Handling: Based on the security organization’s policies and playbooks, through 3rd party integration, the correlated attack information can be automatically shared with prevention and detection systems to block and isolate an attack for quick handling and remediation.
Remediation: Providing the complete picture needed for swift and effective incident response, a trouble ticket is generated by ThreatOps. It can then be integrated with applications such as ServiceNow or Jira to give the IT Help Desk information on exactly what is needed for immediate remediation of an infected system or unit.